embracing devops as a security professional · security @ netflix “guardrails not ... - “paved...
TRANSCRIPT
![Page 1: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/1.jpg)
Embracing DevOps as a Security Professional
Swiss Cyber Storm 2018
Astha Singhal Engineering Manager, Application Security Netflix
![Page 2: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/2.jpg)
Swiss Cyber Storm 2018
![Page 3: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/3.jpg)
How do you change your approach in a different engineering culture to achieve the same security goals?
Swiss Cyber Storm 2018
![Page 4: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/4.jpg)
Freedom and Responsibility
Swiss Cyber Storm 2018
![Page 5: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/5.jpg)
Context not Control*
Swiss Cyber Storm 2018
![Page 6: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/6.jpg)
Security @ Netflix
“Guardrails not Gates”
Swiss Cyber Storm 2018
![Page 7: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/7.jpg)
● Finding, Fixing and Preventing Vulnerabilities
● Threat modeling, Code Reviews, Penetration Testing
● Static and Dynamic analysis
● Security Consulting, Developer Training
Swiss Cyber Storm 2018
Product Security aka The Defenders
![Page 8: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/8.jpg)
Security Development Lifecycle
Swiss Cyber Storm 2018
![Page 9: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/9.jpg)
No way to know everything that’s being released
Swiss Cyber Storm 2018
![Page 10: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/10.jpg)
Not enough time and resources to review
everything
Swiss Cyber Storm 2018
![Page 11: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/11.jpg)
Manual security approvals would slow everything down
Swiss Cyber Storm 2018
![Page 12: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/12.jpg)
Code analysis in a microservice, polyglot
environment is really hard
Swiss Cyber Storm 2018
![Page 13: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/13.jpg)
Swiss Cyber Storm 2018
![Page 14: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/14.jpg)
- Centralized CI/CD to hook in security automation
Advantages of the Continuous Delivery model
Swiss Cyber Storm 2018
![Page 15: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/15.jpg)
- Centralized CI/CD to hook in security automation
- Cloud Infrastructure primitives to automatically derive asset inventory
Advantages of the Continuous Delivery model
Swiss Cyber Storm 2018
![Page 16: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/16.jpg)
- Centralized CI/CD to hook in security automation
- Cloud Infrastructure primitives to automatically derive asset inventory
- On-call to handle interrupt driven work
Advantages of the Continuous Delivery model
Swiss Cyber Storm 2018
![Page 17: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/17.jpg)
- Centralized CI/CD to hook in security automation
- Cloud Infrastructure primitives to automatically derive asset inventory
- On-call to handle interrupt driven work
- Security is not “special”
Advantages of the Continuous Delivery model
Swiss Cyber Storm 2018
![Page 18: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/18.jpg)
- Centralized CI/CD to hook in security automation
- Cloud Infrastructure primitives to automatically derive asset inventory
- On-call to handle interrupt driven work
- Security is not “special”
- “Paved Road” to incorporate security controls
Advantages of the Continuous Delivery model
Swiss Cyber Storm 2018
![Page 19: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/19.jpg)
Swiss Cyber Storm 2018
Foundation Image
Web Server
AppServer
Language Runtimes
Health / Logs / Utils
New App Other Services
Secrets
![Page 20: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/20.jpg)
Swiss Cyber Storm 2018
Foundation Image
Web Server
AppServer
Language Runtimes
Health / Logs / Utils
New App
Security Group
AWS Account
Other Services✔
✔
Secrets
✔
✔
✔
✔✔
✔✔
✔
?✔
![Page 21: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/21.jpg)
Appsec Team Composition
Swiss Cyber Storm 2018
![Page 22: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/22.jpg)
What needs to change
- Enable your developers via security self-service
- Integrate with the developer workflows
- Build secure by default platforms
- Scale product security resources via automation
- Better automated visibility & action for developers
Swiss Cyber Storm 2018
![Page 23: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/23.jpg)
What needs to change What stays the same
- Enable your developers via security self-service
- Integrate with the developer workflows
- Build secure by default platforms
- Scale product security resources via automation
- Better automated visibility & action for developers
- Building relationships with your customers across the org is still important
- Security work continues to be driven by Enterprise Risk
- Strategic partnerships with high risk areas
- Developer training where relevant
- Pentesting and bug finding
Swiss Cyber Storm 2018
![Page 24: Embracing DevOps as a Security Professional · Security @ Netflix “Guardrails not ... - “Paved Road” to incorporate security controls Advantages of the Continuous Delivery model](https://reader036.vdocuments.us/reader036/viewer/2022070203/60edc3ccf5c5e0013720a3c5/html5/thumbnails/24.jpg)
Thank you